Home > Ask the Security Experts > Questions & Answers > Is there a hole in my Cisco Pix Firewall?
Ask The Security Expert: Questions & Answers
EMAIL THIS

Is there a hole in my Cisco Pix Firewall?

Ed Yakabovicz EXPERT RESPONSE FROM: Ed Yakabovicz

Pose a Question
Other Security Categories
Meet all Security Experts
Become an Expert for this site


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


>
QUESTION POSED ON: 01 November 2004
My company recently went from a border manager to a Cisco Pix Firewall. After about a week our outgoing e-mail stopped going out except for at night (incoming and in-house e-mail are not effected). It appears to me someone is sending e-mail from our server. I called our service provider?s tech support, who told me it appeared that anyone could be sending e-mail from our account. I am assuming this means the service provider left a hole in my firewall. I have dealt with this provider in the past, so I have a feeling they will deny this happened. Is there a way I can tell if there is a hole in the firewall? Could anything else cause this?

>
If you're allowing e-mail traffic through your firewall, you've likely got a "hole" in it - TCP port 25 for the e-mail protocol SMTP. Unfortunately, this is a necessary evil. There's likely something else going on, so here are a few things to consider doing:
  • Change the terminal and enable passwords on your PIX firewall.
  • Look for old/unused e-mail accounts. Disable or delete any that you find since these can be a source of compromise.
  • Change user passwords on your e-mail server. (You may have to change network passwords in conjunction with this.)
  • Change the administrator password on the e-mail server.
  • Test your e-mail server for SMTP relay at www.abuse.net/relay.html or similar site.
  • Turn off SMTP relay for outside addresses on your email server if possible.
  • Look at your PIX firewall ruleset and make sure the SMTP rules are in place. You should see something similar to:
    conduit permit tcp host PUBLIC_IP_ADDRESS eq smtp any
    conduit permit tcp host MAILSERVER_PRIVATE_IP_ADDRESS eq smtp any
  • Test your systems for vulnerabilities using an external tool. (Note: External port scans aren't enough, so consider using a reputable tool that can dig a little deeper such as QualysGuard .)

If you still have problems with your e-mail server, you may need to bring in an outside consultant to look at your systems for signs of compromise and further vulnerability testing.


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   



RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary



Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.
Browse our Expert Advice



Find Security Solutions for Your Business
TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
SEARCH :     Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2003 - 2009, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts